TestHarness: Allowed Request Headers by XHR
Allowed Request Headers by XHR using testharness.js
By
0
Seen 551 times
Tags
Run this test now.
Results
Chrome
Chrome Mobile
Chromium
Firefox
Googlebot
Safari
Tested on
Chrome - 60 - Mac OS X
| Result | Test Name | Message |
|---|---|---|
| PASS | Header: "accept-charset" should not be allowed | |
| PASS | Header: "accept-encoding" should not be allowed | |
| PASS | Header: "access-control-request-headers" should not be allowed | |
| PASS | Header: "access-control-request-method" should not be allowed | |
| PASS | Header: "connection" should not be allowed | |
| PASS | Header: "content-length" should not be allowed | |
| PASS | Header: "cookie" should not be allowed | |
| PASS | Header: "cookie2" should not be allowed | |
| PASS | Header: "date" should not be allowed | |
| PASS | Header: "dnt" should not be allowed | |
| PASS | Header: "expect" should not be allowed | |
| PASS | Header: "host" should not be allowed | |
| PASS | Header: "keep-alive" should not be allowed | |
| PASS | Header: "origin" should not be allowed | |
| PASS | Header: "referer" should not be allowed | |
| PASS | Header: "te" should not be allowed | |
| PASS | Header: "trailer" should not be allowed | |
| PASS | Header: "transfer-encoding" should not be allowed | |
| PASS | Header: "upgrade" should not be allowed | |
| PASS | Header: "user-agent" should not be allowed | |
| PASS | Header: "via" should not be allowed | |
| PASS | Header: "proxy-" should not be allowed | |
| PASS | Header: "proxy-xyz" should not be allowed | |
| PASS | Header: "sec-" should not be allowed | |
| PASS | Header: "sec-xyz" should not be allowed |
Tested on
Chrome Mobile - 41 - Android
| Result | Test Name | Message |
|---|---|---|
| FAIL | Header: "accept-charset" should not be allowed | Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'https://domstorm.skepticfx.com/helper/headers?filter=TEST'.(stack: Error: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'https://domstorm.skepticfx.com/helper/headers?filter=TEST'.
at Test. |
| PASS | Header: "accept-encoding" should not be allowed | |
| PASS | Header: "access-control-request-headers" should not be allowed | |
| PASS | Header: "access-control-request-method" should not be allowed | |
| PASS | Header: "connection" should not be allowed | |
| PASS | Header: "content-length" should not be allowed | |
| PASS | Header: "cookie" should not be allowed | |
| PASS | Header: "cookie2" should not be allowed | |
| PASS | Header: "date" should not be allowed | |
| PASS | Header: "dnt" should not be allowed | |
| PASS | Header: "expect" should not be allowed | |
| PASS | Header: "host" should not be allowed | |
| PASS | Header: "keep-alive" should not be allowed | |
| PASS | Header: "origin" should not be allowed | |
| PASS | Header: "referer" should not be allowed | |
| PASS | Header: "te" should not be allowed | |
| PASS | Header: "trailer" should not be allowed | |
| PASS | Header: "transfer-encoding" should not be allowed | |
| PASS | Header: "upgrade" should not be allowed | |
| PASS | Header: "user-agent" should not be allowed | |
| PASS | Header: "via" should not be allowed | |
| PASS | Header: "proxy-" should not be allowed | |
| PASS | Header: "proxy-xyz" should not be allowed | |
| PASS | Header: "sec-" should not be allowed | |
| PASS | Header: "sec-xyz" should not be allowed |
Tested on
Chromium - 45 - Ubuntu
| Result | Test Name | Message |
|---|---|---|
| PASS | Header: "accept-charset" should not be allowed | |
| PASS | Header: "accept-encoding" should not be allowed | |
| PASS | Header: "access-control-request-headers" should not be allowed | |
| PASS | Header: "access-control-request-method" should not be allowed | |
| PASS | Header: "connection" should not be allowed | |
| PASS | Header: "content-length" should not be allowed | |
| PASS | Header: "cookie" should not be allowed | |
| PASS | Header: "cookie2" should not be allowed | |
| PASS | Header: "date" should not be allowed | |
| PASS | Header: "dnt" should not be allowed | |
| PASS | Header: "expect" should not be allowed | |
| PASS | Header: "host" should not be allowed | |
| PASS | Header: "keep-alive" should not be allowed | |
| PASS | Header: "origin" should not be allowed | |
| PASS | Header: "referer" should not be allowed | |
| PASS | Header: "te" should not be allowed | |
| PASS | Header: "trailer" should not be allowed | |
| PASS | Header: "transfer-encoding" should not be allowed | |
| PASS | Header: "upgrade" should not be allowed | |
| PASS | Header: "user-agent" should not be allowed | |
| PASS | Header: "via" should not be allowed | |
| PASS | Header: "proxy-" should not be allowed | |
| PASS | Header: "proxy-xyz" should not be allowed | |
| PASS | Header: "sec-" should not be allowed | |
| PASS | Header: "sec-xyz" should not be allowed |
Tested on
Firefox - 60 - Windows 7
| Result | Test Name | Message |
|---|---|---|
| PASS | Header: "accept-charset" should not be allowed | |
| PASS | Header: "accept-encoding" should not be allowed | |
| PASS | Header: "access-control-request-headers" should not be allowed | |
| PASS | Header: "access-control-request-method" should not be allowed | |
| PASS | Header: "connection" should not be allowed | |
| PASS | Header: "content-length" should not be allowed | |
| PASS | Header: "cookie" should not be allowed | |
| PASS | Header: "cookie2" should not be allowed | |
| PASS | Header: "date" should not be allowed | |
| PASS | Header: "dnt" should not be allowed | |
| PASS | Header: "expect" should not be allowed | |
| PASS | Header: "host" should not be allowed | |
| PASS | Header: "keep-alive" should not be allowed | |
| PASS | Header: "origin" should not be allowed | |
| PASS | Header: "referer" should not be allowed | |
| PASS | Header: "te" should not be allowed | |
| PASS | Header: "trailer" should not be allowed | |
| PASS | Header: "transfer-encoding" should not be allowed | |
| PASS | Header: "upgrade" should not be allowed | |
| FAIL | Header: "user-agent" should not be allowed | assert_false: Header 'user-agent' was allowed expected false got true |
| PASS | Header: "via" should not be allowed | |
| PASS | Header: "proxy-" should not be allowed | |
| PASS | Header: "proxy-xyz" should not be allowed | |
| PASS | Header: "sec-" should not be allowed | |
| PASS | Header: "sec-xyz" should not be allowed |
Tested on
Googlebot - 2.1 - undefined
| Result | Test Name | Message |
|---|---|---|
| PASS | Header: "accept-charset" should not be allowed | |
| PASS | Header: "accept-encoding" should not be allowed | |
| PASS | Header: "access-control-request-headers" should not be allowed | |
| PASS | Header: "access-control-request-method" should not be allowed | |
| PASS | Header: "connection" should not be allowed | |
| PASS | Header: "content-length" should not be allowed | |
| PASS | Header: "cookie" should not be allowed | |
| PASS | Header: "cookie2" should not be allowed | |
| PASS | Header: "date" should not be allowed | |
| PASS | Header: "dnt" should not be allowed | |
| PASS | Header: "expect" should not be allowed | |
| PASS | Header: "host" should not be allowed | |
| PASS | Header: "keep-alive" should not be allowed | |
| PASS | Header: "origin" should not be allowed | |
| PASS | Header: "referer" should not be allowed | |
| PASS | Header: "te" should not be allowed | |
| PASS | Header: "trailer" should not be allowed | |
| PASS | Header: "transfer-encoding" should not be allowed | |
| PASS | Header: "upgrade" should not be allowed | |
| PASS | Header: "user-agent" should not be allowed | |
| PASS | Header: "via" should not be allowed | |
| PASS | Header: "proxy-" should not be allowed | |
| PASS | Header: "proxy-xyz" should not be allowed | |
| PASS | Header: "sec-" should not be allowed | |
| PASS | Header: "sec-xyz" should not be allowed |
Tested on
Safari - 7 - Mac OS X
| Result | Test Name | Message |
|---|---|---|
| PASS | Header: "accept-charset" should not be allowed | |
| PASS | Header: "accept-encoding" should not be allowed | |
| PASS | Header: "access-control-request-headers" should not be allowed | |
| PASS | Header: "access-control-request-method" should not be allowed | |
| PASS | Header: "connection" should not be allowed | |
| PASS | Header: "content-length" should not be allowed | |
| PASS | Header: "cookie" should not be allowed | |
| PASS | Header: "cookie2" should not be allowed | |
| PASS | Header: "date" should not be allowed | |
| PASS | Header: "dnt" should not be allowed | |
| PASS | Header: "expect" should not be allowed | |
| PASS | Header: "host" should not be allowed | |
| PASS | Header: "keep-alive" should not be allowed | |
| PASS | Header: "origin" should not be allowed | |
| PASS | Header: "referer" should not be allowed | |
| PASS | Header: "te" should not be allowed | |
| PASS | Header: "trailer" should not be allowed | |
| PASS | Header: "transfer-encoding" should not be allowed | |
| PASS | Header: "upgrade" should not be allowed | |
| PASS | Header: "user-agent" should not be allowed | |
| PASS | Header: "via" should not be allowed | |
| PASS | Header: "proxy-" should not be allowed | |
| PASS | Header: "proxy-xyz" should not be allowed | |
| PASS | Header: "sec-" should not be allowed | |
| PASS | Header: "sec-xyz" should not be allowed |
User Script (TESTHARNESS)
<html>
<head>
<script src="/public/js/testharness-domstorm.js"></script>
<script>
// The userScript for the Module
// W3C Testharness.js
// Turotial: http://darobin.github.io/test-harness-tutorial/docs/using-testharness.html
// W3c Platform Tests: https://github.com/w3c/web-platform-tests
setup({
allow_uncaught_exception: true
});
function shouldReturnFalse(val) {
test(function() {
var client = new XMLHttpRequest();
client.open("GET", "/helper/headers?filter=TEST", false); // we send this synchronously for testing
client.setRequestHeader(val, "TEST");
client.send(null);
var headers = JSON.parse(client.responseText);
// console.log(val);
// console.log(headers);
assert_false(headers.hasOwnProperty(val), "Header '" + val + "' was allowed");
//assert_own_property(headers, val);
}, "Header: \"" + val + "\" should not be allowed");
}
var data = ["Accept-Charset", "Accept-Encoding", "Access-Control-Request-Headers", "Access-Control-Request-Method", "Connection", "Content-Length", "Cookie", "Cookie2", "Date", "DNT", "Expect", "Host", "Keep-Alive", "Origin", "Referer", "TE", "Trailer", "Transfer-Encoding", "Upgrade", "User-Agent", "Via", "Proxy-", "Proxy-XYZ", "Sec-", "Sec-XYZ"];
for (var i = 0; i < data.length; i++) {
var val = data[i].toLowerCase();
shouldReturnFalse(val);
};
</script>
</head>
<body>
Testing using W3C TestHarness.js for XHR Methods
</body>
</html>